> On Mar 15, 2021, at 5:58 AM, Eliot Lear <[email protected]>
> wrote:
>
> For libraries like OpenSSL I wouldn’t mind throwing in a new flag, for
> instance, that would be required to validate a cert based on the subject.
> That would help these other uses get over the hump over time; perhaps even
> with a warning of some form emitted.
See X509_check_host(3). It's behaviour is customisable via the
below flags:
X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT,
X509_CHECK_FLAG_NEVER_CHECK_SUBJECT,
X509_CHECK_FLAG_NO_WILDCARDS,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,
X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS.
X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS.
So what Rich is proposing amounts to changing the default flag
setting from zero to X509_CHECK_FLAG_NEVER_CHECK_SUBJECT, and
then applications that want the legacy behaviour can just clear
that flag bit if they so desire.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
